/ Zope / Apsis / Pound Mailing List / Archive / 2010 / 2010-03 / Problem with pound SSL

[ << ] [ >> ]

[ Pound segfaults on first request / ... ] [ Connection Timeouts / David W King ... ]

Problem with pound SSL
"Anne Moore" <diabeticithink(at)yahoo.com>		 2010-03-16 03:16:56 [ SNIP ] 
Hello All

I'm setting up POUND for my entire corporation. We, however, cannot seem to
get the SSL working correct.

Here's our setup:

(Entire network is private):

Clients >> POUND >> BackendServer1/BackenedServer2

Every time our users get directed to the backend servers, the first page is
encrypted. However, all subsequent pages that the user clicks on, are not.
This is causing a major problem with our sensitive data. I'm also trying to
get port 80 to automatically re-directs to port 443. No luck with either one
so far. Any help you can provide is great appreciated! Thank you - Anne

Here's my pound.cfg:

User "nobody"
Group "nobody"
RootJail "/usr/share/pound"
Control "/var/run/pound/ctl_socket"
 
# Main listening ports
ListenHTTP
    Address 192.168.1.12
    Port    80
    xHTTP   1
End
ListenHTTPS
   
Address 192.168.1.12
    Port    443
    Cert    "/usr/share/ssl/certs/myserver.pem"
    Ciphers
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
    xHTTP   1
    HeadRemove "X-SSL-Request"
    HeadRemove "X-Forwarded-For"
    AddHeader  "X-SSL-Request: 1"
End
 
# redirect all requests for /forbidden
Service
    Url         "/forbidden.*"
    Redirect    "https://192.168.1.12/"
End
 
# Catch-all server(s)
Service
    BackEnd
        Address 192.168.1.13
        Port    7777
    End
    BackEnd
        Address 192.168.1.14
        Port    7777
    End
    Session
        Type    BASIC
        TTL     300
    End
End
Re: [Pound Mailing List] Problem with pound SSL
Michael Moyle <michael(at)orinoco.jp>		 2010-03-16 04:38:03 [ SNIP ] 
Anne,

Maybe too simple, but if the first page returns as https://myhost/page I am
wondering if there are hard coded http::// links on the site ie:
<a href="http://myhost/page2">page 2</a>

instead of

<a href="page2">page 2</a>

regards,
Michael


On Tue, Mar 16, 2010 at 11:16 AM, Anne Moore
<diabeticithink(at)yahoo.com>wrote:

> Hello All
>
> I'm setting up POUND for my entire corporation. We, however, cannot seem to
> get the SSL working correct.
>
> Here's our setup:
>
> (Entire network is private):
>
> Clients >> POUND >> BackendServer1/BackenedServer2
>
> Every time our users get directed to the backend servers, the first page is
> encrypted. However, all subsequent pages that the user clicks on, are not.
> This is causing a major problem with our sensitive data. I'm also trying to
> get port 80 to automatically re-directs to port 443. No luck with either
> one
> so far. Any help you can provide is great appreciated! Thank you - Anne
>
> Here's my pound.cfg:
>
> User "nobody"
> Group "nobody"
> RootJail "/usr/share/pound"
> Control "/var/run/pound/ctl_socket"
>
> # Main listening ports
> ListenHTTP
>    Address 192.168.1.12
>    Port    80
>    xHTTP   1
> End
> ListenHTTPS
>
> Address 192.168.1.12
>    Port    443
>    Cert    "/usr/share/ssl/certs/myserver.pem"
>    Ciphers
> "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
>    xHTTP   1
>    HeadRemove "X-SSL-Request"
>    HeadRemove "X-Forwarded-For"
>    AddHeader  "X-SSL-Request: 1"
> End
>
> # redirect all requests for /forbidden
> Service
>    Url         "/forbidden.*"
>    Redirect    "https://192.168.1.12/"
> End
>
> # Catch-all server(s)
> Service
>    BackEnd
>        Address 192.168.1.13
>        Port    7777
>    End
>    BackEnd
>        Address 192.168.1.14
>        Port    7777
>    End
>    Session
>        Type    BASIC
>        TTL     300
>    End
> End
>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
Attachments:  
text.html text/html 2889 Bytes
Re: [Pound Mailing List] Problem with pound SSL
Mattias Berge <mattiasb(at)travellab.com>		 2010-03-16 11:22:08 [ SNIP ] 
Maybe the backend return a Location: header with http?
If so, it can be solved with RewriteLocation option

On Tue, Mar 16, 2010 at 3:16 AM, Anne Moore <diabeticithink(at)yahoo.com>wrote:

> Hello All
>
> I'm setting up POUND for my entire corporation. We, however, cannot seem to
> get the SSL working correct.
>
> Here's our setup:
>
> (Entire network is private):
>
> Clients >> POUND >> BackendServer1/BackenedServer2
>
> Every time our users get directed to the backend servers, the first page is
> encrypted. However, all subsequent pages that the user clicks on, are not.
> This is causing a major problem with our sensitive data. I'm also trying to
> get port 80 to automatically re-directs to port 443. No luck with either
> one
> so far. Any help you can provide is great appreciated! Thank you - Anne
>
> Here's my pound.cfg:
>
> User "nobody"
> Group "nobody"
> RootJail "/usr/share/pound"
> Control "/var/run/pound/ctl_socket"
>
> # Main listening ports
> ListenHTTP
>    Address 192.168.1.12
>    Port    80
>    xHTTP   1
> End
> ListenHTTPS
>
> Address 192.168.1.12
>    Port    443
>    Cert    "/usr/share/ssl/certs/myserver.pem"
>    Ciphers
> "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
>    xHTTP   1
>    HeadRemove "X-SSL-Request"
>    HeadRemove "X-Forwarded-For"
>    AddHeader  "X-SSL-Request: 1"
> End
>
> # redirect all requests for /forbidden
> Service
>    Url         "/forbidden.*"
>    Redirect    "https://192.168.1.12/"
> End
>
> # Catch-all server(s)
> Service
>    BackEnd
>        Address 192.168.1.13
>        Port    7777
>    End
>    BackEnd
>        Address 192.168.1.14
>        Port    7777
>    End
>    Session
>        Type    BASIC
>        TTL     300
>    End
> End
>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>



-- 
Mattias Berge
Direct +46 (0)40-690 3825
Attachments:  
text.html text/html 2672 Bytes
RE: [Pound Mailing List] Problem with pound SSL
"Jacob Anderson" <jwa(at)beyond-ordinary.com>		 2010-03-16 17:22:58 [ SNIP ] 
Hi Anne,

Next, in your application, check for the "X-SSL-Request: 1" header and have
it redirect to https (you can do that in a simple HTTP root handler if you
are running ASP.NET) when the header is not present or has an invalid value.

Someone else mentioned that you may have embedded links to "http://xxx",
which is likely the case here. Do a global search/replace on
"http://mydomain" (ABACRE Software has a good tool for this that runs on
windows).

Pound does not do the full-scale mod_rewrite capability that you are looking
for. It has some miscellaneous commands that can get you going for simple
rewrites.

Otherwise, you could bind port 80 on a local apache install and have it
mod_rewrite to HTTPS.

-- Jake




-----Original Message-----
From: mattias.berge(at)travelstart.net
[mailto:mattias.berge(at)travelstart.net]
On Behalf Of Mattias Berge
Sent: Tuesday, March 16, 2010 3:22 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Problem with pound SSL

Maybe the backend return a Location: header with http?
If so, it can be solved with RewriteLocation option

On Tue, Mar 16, 2010 at 3:16 AM, Anne Moore <diabeticithink(at)yahoo.com>wrote:

> Hello All
>
> I'm setting up POUND for my entire corporation. We, however, cannot seem
to
> get the SSL working correct.
>
> Here's our setup:
>
> (Entire network is private):
>
> Clients >> POUND >> BackendServer1/BackenedServer2
>
> Every time our users get directed to the backend servers, the first page
is
> encrypted. However, all subsequent pages that the user clicks on, are not.
> This is causing a major problem with our sensitive data. I'm also trying
to
> get port 80 to automatically re-directs to port 443. No luck with either
> one
> so far. Any help you can provide is great appreciated! Thank you - Anne
>
> Here's my pound.cfg:
>
> User "nobody"
> Group "nobody"
> RootJail "/usr/share/pound"
> Control "/var/run/pound/ctl_socket"
>
> # Main listening ports
> ListenHTTP
>    Address 192.168.1.12
>    Port    80
>    xHTTP   1
> End
> ListenHTTPS
>
> Address 192.168.1.12
>    Port    443
>    Cert    "/usr/share/ssl/certs/myserver.pem"
>    Ciphers
> "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
>    xHTTP   1
>    HeadRemove "X-SSL-Request"
>    HeadRemove "X-Forwarded-For"
>    AddHeader  "X-SSL-Request: 1"
> End
>
> # redirect all requests for /forbidden
> Service
>    Url         "/forbidden.*"
>    Redirect    "https://192.168.1.12/"
> End
>
> # Catch-all server(s)
> Service
>    BackEnd
>        Address 192.168.1.13
>        Port    7777
>    End
>    BackEnd
>        Address 192.168.1.14
>        Port    7777
>    End
>    Session
>        Type    BASIC
>        TTL     300
>    End
> End
>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>



-- 
Mattias Berge
Direct +46 (0)40-690 3825


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
RE: [Pound Mailing List] Problem with pound SSL
"Anne Moore" <diabeticithink(at)yahoo.com>		 2010-03-16 20:20:48 [ SNIP ] 
Hi Michael

It's a good idea, but they are not hard coded that way. (I checked that
too.)

Thanks though for you input.

Anne 

-----Original Message-----
From: Michael Moyle [mailto:michael(at)orinoco.jp] 
Sent: Monday, March 15, 2010 11:38 PM
To: pound
Subject: Re: [Pound Mailing List] Problem with pound SSL

Anne,

Maybe too simple, but if the first page returns as https://myhost/page I am
wondering if there are hard coded http::// links on the site ie:
<a href="http://myhost/page2">page 2</a>

instead of

<a href="page2">page 2</a>

regards,
Michael


On Tue, Mar 16, 2010 at 11:16 AM, Anne Moore
<diabeticithink(at)yahoo.com>wrote:

> Hello All
>
> I'm setting up POUND for my entire corporation. We, however, cannot 
> seem to get the SSL working correct.
>
> Here's our setup:
>
> (Entire network is private):
>
> Clients >> POUND >> BackendServer1/BackenedServer2
>
> Every time our users get directed to the backend servers, the first 
> page is encrypted. However, all subsequent pages that the user clicks on,
are not.
> This is causing a major problem with our sensitive data. I'm also 
> trying to get port 80 to automatically re-directs to port 443. No luck 
> with either one so far. Any help you can provide is great appreciated! 
> Thank you - Anne
>
> Here's my pound.cfg:
>
> User "nobody"
> Group "nobody"
> RootJail "/usr/share/pound"
> Control "/var/run/pound/ctl_socket"
>
> # Main listening ports
> ListenHTTP
>    Address 192.168.1.12
>    Port    80
>    xHTTP   1
> End
> ListenHTTPS
>
> Address 192.168.1.12
>    Port    443
>    Cert    "/usr/share/ssl/certs/myserver.pem"
>    Ciphers
> "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
>    xHTTP   1
>    HeadRemove "X-SSL-Request"
>    HeadRemove "X-Forwarded-For"
>    AddHeader  "X-SSL-Request: 1"
> End
>
> # redirect all requests for /forbidden Service
>    Url         "/forbidden.*"
>    Redirect    "https://192.168.1.12/"
> End
>
> # Catch-all server(s)
> Service
>    BackEnd
>        Address 192.168.1.13
>        Port    7777
>    End
>    BackEnd
>        Address 192.168.1.14
>        Port    7777
>    End
>    Session
>        Type    BASIC
>        TTL     300
>    End
> End
>
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
MailBoxer